1. Technical Field
The invention relates generally to the field of network security management. More particularly, the invention relates to scanning for vulnerabilities on a continuous basis and interpreting the resulting traffic in the context of policy.
2. Description of the Prior Art
Networked information systems are an essential part of many organizations. Critical systems, services, and information resources all require protection that depends on effective orchestration of a variety of factors: network architecture, security products, site security, administrative procedures, end user responsibility, and more. A network security policy is an explicit plan of how to accomplish this multi-faceted protection, what objectives the plans should meet, and what assets are being protected.
U.S. patent application Ser. No. 09/479,781 filed Jan. 7, 2000, “A Declarative Language for Specifying a Security Policy” describes a system and method for defining network security policy in a formal way, the entire contents of which are hereby incorporated by reference. Also, U.S. patent application Ser. No. 09/881,147 filed Jun. 14, 2001, “System and Method for Security Policy” describes a system and method for monitoring network traffic using such formal description of network security policy, the entire contents of which are hereby incorporated by reference. Network monitoring for network security policy provides great visibility into the actual communications of machines on the network.
Because network monitoring technology is based on actual network traffic, it cannot provide information about how machines might communicate in the future based on their current configurations. Vulnerability scanning technology helps to fill this gap.
Vulnerability Scanning Technology
Vulnerability scanning technology is exemplified by commercial products such as the various scanners by Internet Security Systems, Inc. (ISS), the Cisco Scanner by Cisco Systems, Inc., and the Nessus Network Security Scanner. This technology examines the network configuration of hosts on the network by “probing” or “scanning” them using network traffic that is crafted to elicit a response. The response is interpreted and used to determine the configuration of the host that is scanned. Using various probing techniques, the technology is capable of:                scanning a range of Internet addresses to determine which addresses likely represent working hosts and which do not;        scanning a range of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers within a given host to determine which applications are likely active on a given working host; and        probing an application on a given host to determine whether it is susceptible to previously known attacks, known as “vulnerabilities.”Weaknesses of Vulnerability Scanning Technology        
A prominent weakness of vulnerability scanning technology is the sheer volume of information that it returns. Since the technology effectively maps all hosts, services, and vulnerabilities on the network, the resulting list contains many items that are already known to the network maintenance staff. The time spent removing known items from a vulnerability scanner report significantly reduces its effectiveness.
Typically, a vulnerability scanning tool is deployed on a regular basis. It is desirable to run this tool continuously, but the volume of data returned makes it difficult to do so and process the results effectively.
Another problem with current continuous vulnerability scanning technology is that its operation simulates that of an attacker. A network monitoring technology, which is simultaneously monitoring the network is likely to detect a vulnerability scanner as an attacker and alert network maintenance staff that a strong and persistent attack is in progress. Event though the network maintenance staff presumably knows that they are currently running a vulnerability scanner, the large number of monitoring violations presented by the monitor may make it difficult to find true monitoring results.
It would be advantageous for a network security policy to know what a scanner is doing such that the policy can monitor the network without causing the scanner events to look like an attack on the network.
Because a vulnerability scanner produces large amounts of information about the network, much of which is redundant, it would be advantageous to provide a mechanism to automatically remove such redundant information. It would also be advantageous to overcome the difficult task of turning such output of the vulnerability scanner into a workflow that helps remediate identified problems with the network.